<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Get records API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'ml-get-record.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/ml-get-record.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/ml-get-record.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/ml-get-record.html" rel="nofollow" target="_blank">../en/ml-get-record.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="ml-apis.html">Machine learning anomaly detection APIs</a></span>
»
<span class="breadcrumb-node">Get records API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="ml-get-filter.html">« Get filters API</a>
</span>
<span class="next">
<a href="ml-open-job.html">Open anomaly detection jobs API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="ml-get-record"></a>Get records API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>Retrieves anomaly records for an anomaly detection job.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">GET _ml/anomaly_detectors/&lt;job_id&gt;/results/records</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-prereqs"></a>Prerequisites<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If the Elasticsearch security features are enabled, you must have <code class="literal">monitor_ml</code>,
<code class="literal">monitor</code>, <code class="literal">manage_ml</code>, or <code class="literal">manage</code> cluster privileges to use this API. You also
need <code class="literal">read</code> index privilege on the index that stores the results. The
<code class="literal">machine_learning_admin</code> and <code class="literal">machine_learning_user</code> roles provide these
privileges. See <a class="xref" href="security-privileges.html" title="Security privileges">Security privileges</a> and <a class="xref" href="built-in-roles.html" title="Built-in roles">Built-in roles</a>.
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<p>Records contain the detailed analytical results. They describe the anomalous
activity that has been identified in the input data based on the detector
configuration.</p>
<p>There can be many anomaly records depending on the characteristics and size of
the input data. In practice, there are often too many to be able to manually
process them. The machine learning features therefore perform a sophisticated aggregation of
the anomaly records into buckets.</p>
<p>The number of record results depends on the number of anomalies found in each
bucket, which relates to the number of time series being modeled and the number
of detectors.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-path-parms"></a>Path parameters<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">&lt;job_id&gt;</code>
</span>
</dt>
<dd>
(Required, string)
Identifier for the anomaly detection job.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">desc</code>
</span>
</dt>
<dd>
(Optional, boolean)
If true, the results are sorted in descending order.
</dd>
<dt>
<span class="term">
<code class="literal">end</code>
</span>
</dt>
<dd>
(Optional, string) Returns records with timestamps earlier than this time.
</dd>
<dt>
<span class="term">
<code class="literal">exclude_interim</code>
</span>
</dt>
<dd>
(Optional, boolean)
If <code class="literal">true</code>, the output excludes interim results. By default, interim results are
included.
</dd>
<dt>
<span class="term">
<code class="literal">page</code>.<code class="literal">from</code>
</span>
</dt>
<dd>
(Optional, integer) Skips the specified number of records.
</dd>
<dt>
<span class="term">
<code class="literal">page</code>.<code class="literal">size</code>
</span>
</dt>
<dd>
(Optional, integer) Specifies the maximum number of records to obtain.
</dd>
<dt>
<span class="term">
<code class="literal">record_score</code>
</span>
</dt>
<dd>
(Optional, double) Returns records with anomaly scores greater or equal than
this value.
</dd>
<dt>
<span class="term">
<code class="literal">sort</code>
</span>
</dt>
<dd>
(Optional, string) Specifies the sort field for the requested records. By
default, the records are sorted by the <code class="literal">anomaly_score</code> value.
</dd>
<dt>
<span class="term">
<code class="literal">start</code>
</span>
</dt>
<dd>
(Optional, string) Returns records with timestamps after this time.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-results"></a>Response body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The API returns an array of record objects, which have the following properties:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">actual</code>
</span>
</dt>
<dd>
(array) The actual value for the bucket.
</dd>
<dt>
<span class="term">
<code class="literal">bucket_span</code>
</span>
</dt>
<dd>
(number)
The length of the bucket in seconds. This value matches the <code class="literal">bucket_span</code>
that is specified in the job.
</dd>
<dt>
<span class="term">
<code class="literal">by_field_name</code>
</span>
</dt>
<dd>
(string)
The field used to split the data. In particular, this property is used for
analyzing the splits with respect to their own history. It is used for finding
unusual values in the context of the split.
</dd>
<dt>
<span class="term">
<code class="literal">by_field_value</code>
</span>
</dt>
<dd>
(string) The value of the by field.
</dd>
<dt>
<span class="term">
<code class="literal">causes</code>
</span>
</dt>
<dd>
(array) For population analysis, an over field must be specified in the detector.
This property contains an array of anomaly records that are the causes for the
anomaly that has been identified for the over field. If no over fields exist,
this field is not present. This sub-resource contains the most anomalous records
for the <code class="literal">over_field_name</code>. For scalability reasons, a maximum of the 10 most
significant causes of the anomaly are returned. As part of the core analytical
modeling, these low-level anomaly records are aggregated for their parent over
field record. The causes resource contains similar elements to the record
resource, namely <code class="literal">actual</code>, <code class="literal">typical</code>, <code class="literal">geo_results.actual_point</code>,
<code class="literal">geo_results.typical_point</code>, <code class="literal">*_field_name</code> and <code class="literal">*_field_value</code>. Probability and
scores are not applicable to causes.
</dd>
<dt>
<span class="term">
<code class="literal">detector_index</code>
</span>
</dt>
<dd>
(number)
A unique identifier for the detector. This identifier is based on the order of
the detectors in the <code class="literal">analysis_config</code>, starting at zero.
</dd>
<dt>
<span class="term">
<code class="literal">field_name</code>
</span>
</dt>
<dd>
(string) Certain functions require a field to operate on, for example, <code class="literal">sum()</code>.
For those functions, this value is the name of the field to be analyzed.
</dd>
<dt>
<span class="term">
<code class="literal">function</code>
</span>
</dt>
<dd>
(string) The function in which the anomaly occurs, as specified in the
detector configuration. For example, <code class="literal">max</code>.
</dd>
<dt>
<span class="term">
<code class="literal">function_description</code>
</span>
</dt>
<dd>
(string) The description of the function in which the anomaly occurs, as
specified in the detector configuration.
</dd>
<dt>
<span class="term">
<code class="literal">geo_results.actual_point</code>
</span>
</dt>
<dd>
(string) The actual value for the bucket formatted as a <code class="literal">geo_point</code>. If the
detector function is <code class="literal">lat_long</code>, this is a comma delimited string of the
latitude and longitude.
</dd>
<dt>
<span class="term">
<code class="literal">geo_results.typical_point</code>
</span>
</dt>
<dd>
(string) The typical value for the bucket formatted as a <code class="literal">geo_point</code>. If the
detector function is <code class="literal">lat_long</code>, this is a comma delimited string of the
latitude and longitude.
</dd>
<dt>
<span class="term">
<code class="literal">influencers</code>
</span>
</dt>
<dd>
(array) If <code class="literal">influencers</code> was specified in the detector configuration, this array
contains influencers that contributed to or were to blame for an anomaly.
</dd>
<dt>
<span class="term">
<code class="literal">initial_record_score</code>
</span>
</dt>
<dd>
(number) A normalized score between 0-100, which is based on the probability of
the anomalousness of this record. This is the initial value that was calculated
at the time the bucket was processed.
</dd>
<dt>
<span class="term">
<code class="literal">is_interim</code>
</span>
</dt>
<dd>
(boolean)
If <code class="literal">true</code>, this is an interim result. In other words, the results are calculated
based on partial input data.
</dd>
<dt>
<span class="term">
<code class="literal">job_id</code>
</span>
</dt>
<dd>
(string)
Identifier for the anomaly detection job.
</dd>
<dt>
<span class="term">
<code class="literal">over_field_name</code>
</span>
</dt>
<dd>
(string)
The field used to split the data. In particular, this property is used for
analyzing the splits with respect to the history of all splits. It is used for
finding unusual values in the population of all splits. For more information,
see <a href="https://www.elastic.co/guide/en/machine-learning/7.7/ml-configuring-pop.html" class="ulink" target="_top">Performing population analysis</a>.
</dd>
<dt>
<span class="term">
<code class="literal">over_field_value</code>
</span>
</dt>
<dd>
(string) The value of the over field.
</dd>
<dt>
<span class="term">
<code class="literal">partition_field_name</code>
</span>
</dt>
<dd>
(string)
The field used to segment the analysis. When you use this property, you have
completely independent baselines for each value of this field.
</dd>
<dt>
<span class="term">
<code class="literal">partition_field_value</code>
</span>
</dt>
<dd>
(string) The value of the partition field.
</dd>
<dt>
<span class="term">
<code class="literal">probability</code>
</span>
</dt>
<dd>
(number) The probability of the individual anomaly occurring, in the range <code class="literal">0</code>
to <code class="literal">1</code>. This value can be held to a high precision of over 300 decimal places,
so the <code class="literal">record_score</code> is provided as a human-readable and friendly
interpretation of this.
</dd>
<dt>
<span class="term">
<code class="literal">multi_bucket_impact</code>
</span>
</dt>
<dd>
(number) an indication of how strongly an anomaly is multi bucket or single
bucket. The value is on a scale of <code class="literal">-5.0</code> to <code class="literal">+5.0</code> where <code class="literal">-5.0</code> means the
anomaly is purely single bucket and <code class="literal">+5.0</code> means the anomaly is purely multi
bucket.
</dd>
<dt>
<span class="term">
<code class="literal">record_score</code>
</span>
</dt>
<dd>
(number) A normalized score between 0-100, which is based on the probability of
the anomalousness of this record. Unlike <code class="literal">initial_record_score</code>, this value will
be updated by a re-normalization process as new data is analyzed.
</dd>
<dt>
<span class="term">
<code class="literal">result_type</code>
</span>
</dt>
<dd>
(string) Internal. This is always set to <code class="literal">record</code>.
</dd>
<dt>
<span class="term">
<code class="literal">timestamp</code>
</span>
</dt>
<dd>
(date)
The start time of the bucket for which these results were calculated.
</dd>
<dt>
<span class="term">
<code class="literal">typical</code>
</span>
</dt>
<dd>
(array) The typical value for the bucket, according to analytical modeling.
</dd>
</dl>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Additional record properties are added, depending on the fields being
analyzed. For example, if it’s analyzing <code class="literal">hostname</code> as a <em>by field</em>, then a field
<code class="literal">hostname</code> is added to the result document. This information enables you to
filter the anomaly results more easily.</p>
</div>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-record-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-record.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET _ml/anomaly_detectors/low_request_rate/results/records
{
  "sort": "record_score",
  "desc": true,
  "start": "1454944100000"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1832.console"></div>
<p>In this example, the API returns twelve results for the specified
time constraints:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "count" : 4,
  "records" : [
    {
      "job_id" : "low_request_rate",
      "result_type" : "record",
      "probability" : 1.3882308899968812E-4,
      "multi_bucket_impact" : -5.0,
      "record_score" : 94.98554565630553,
      "initial_record_score" : 94.98554565630553,
      "bucket_span" : 3600,
      "detector_index" : 0,
      "is_interim" : false,
      "timestamp" : 1577793600000,
      "function" : "low_count",
      "function_description" : "count",
      "typical" : [
        28.254208230188834
      ],
      "actual" : [
        0.0
      ]
    },
  ...
  ]
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="ml-get-filter.html">« Get filters API</a>
</span>
<span class="next">
<a href="ml-open-job.html">Open anomaly detection jobs API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>